Cyber Essentials – Would it have saved Lincolnshire County Council?

Cyber Essentials is a UK Government driven scheme which is designed to help businesses of all size reduce the risk and impact from malware attacks. It is mandatory for those who provide services to the MOD. Cyber Essentials is becoming mandatory for those who provide services to any other government department – including local government and councils.

This is a good thing.

Despite there being some criticisms of Cyber Essentials, the scheme does what it says on the tin. It helps businesses prevent things like ransomware knocking them out.

Sadly, not every government department practices what they preach.

Lincolnshire County Council – Hit by ransomware Jan 2016

Around 26 January 2016, Lincolnshire County Council was hit with a ransomware attack. Initial reports from the BBC claimed the demands were for £1m. However by the end of the week this had been corrected to the more normal £300.

Ransomware can be devastating for home users. It has the potential to destroy priceless data. Few home users take proper back ups and end up having to pay. This means there is a lot of money to be made.

Organisations are different. The assumption is they will have backups. There is also an assumption they will never pay. This all means criminals very rarely target businesses with ransomware. What is likely to have happened is simply a user made a mistake with their email.

This happens a lot. It is also one of the reasons why Cyber Essentials was created and why it is so valuable for businesses.

Would Cyber Essentials Have Helped?

Within the Cyber Essentials framework there are five security control areas. These are the foundations of good security.

Boundary Firewalls & Internet Gateways.

Secure Configuration.

Access Control.

Malware Protection.

Patch Management.

As you can see, it is simple. It is also very effective. Good controls for all five are likely to have prevented the ransomware attack. Even if they didn’t, the Council could have bounced back in less than a week.

If Cyber Essentials had been in place, the following should have worked:

The initial phishing attack should have been detected at the boundary.

If devices were properly configured, ransomware would struggle to run. There would also be no fear of lateral movement. This fear forced the council to shut down all services for a week.

Secure configuration also includes a working backup policy. Taking a week to restore from backups is shocking.

Good access control policies would prevent the ransomware encrypting anything other than the files belonging to the infected user.

Having effective anti-malware means using more than “signature based” detection. The news reports all state this ransomware variant was too new for AV signatures. This means that they were not using heuristics….

In a nutshell, Cyber Essentials would have saved the Council here. The worst that ransomware should do is a few hours downtime for one user while you restore from backups. Everything else means you’ve made major mistakes.

Ransomware isn’t new. It shouldn’t be unexpected. Suffering from it should no longer be acceptable. If you outsource, you absolutely MUST ensure your provider knows what they are doing. This does not seem to be the case here.

Cyber Essentials is not a silver bullet. However, it will prevent 80% of cyber attacks.